CVE-2025-7558 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Voting System, specifically within the /admin/positions_add.php file. The vulnerability arises from improper sanitization or validation of the 'description' parameter, which can be manipulated by an attacker to inject malicious SQL code. This flaw allows an unauthenticated remote attacker with low privileges to execute arbitrary SQL commands on the backend database. The injection can lead to unauthorized data access, modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the voting system's data. The vulnerability does not require user interaction and can be exploited remotely, increasing its risk profile. Although the CVSS 4.0 base score is 5.3 (medium severity), the presence of remote exploitation without authentication and the critical nature of voting systems in decision-making contexts elevate the importance of addressing this issue promptly. No patches or fixes have been disclosed yet, and no known exploits are currently observed in the wild, but public disclosure of the exploit details increases the risk of exploitation by threat actors.

For European organizations using the code-projects Voting System 1.0, this vulnerability poses significant risks. Voting systems are often integral to organizational decision-making, elections, or polling processes, and compromise could lead to manipulation or falsification of voting results, undermining trust and operational integrity. Confidential data such as voter information or voting outcomes could be exposed or altered, leading to reputational damage and potential legal consequences under regulations like GDPR. The ability to remotely exploit this vulnerability without authentication increases the attack surface, especially for organizations with internet-facing administrative interfaces. Disruption or data corruption could also impact availability, causing operational downtime or delays in critical decision processes. Given the medium CVSS score but critical context of voting systems, the impact on European entities relying on this software could be substantial if exploited.

Immediate mitigation should focus on restricting access to the /admin/positions_add.php endpoint by implementing network-level controls such as IP whitelisting or VPN access to limit exposure to trusted administrators only. Input validation and sanitization must be enforced on the 'description' parameter to prevent SQL injection, ideally by using parameterized queries or prepared statements in the application code. Organizations should conduct a thorough code review and penetration testing of the voting system to identify and remediate similar injection points. Until an official patch is released, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this endpoint. Monitoring and logging of all administrative actions and anomalous database queries should be enhanced to detect potential exploitation attempts early. Additionally, organizations should plan for timely patching once a fix becomes available and review their incident response plans to address potential exploitation scenarios.